Research Team Reports Critical Internet Explorer Vulnerability Three Years Later

A group of researchers recently disclosed a critical zero-day vulnerability found in multiple versions of Microsoft’s Internet Explorer (IE) that was originally discovered back in February of 2011.

The security firm VUPEN finally reported the flaw during the Pwn2Own contest held mid-March this year. Nearly three months after the report, Microsoft issued a patch on June 17 and released an advisory describing the security flaws exploited.

Microsoft reported the exploit (CVE-2014-2777) affected users using IE browser versions 6-11. “The security update addressed the vulnerabilities by modifying the way that Internet Explorer handles objects in memory, validates permissions, and handles negation of certificates during a TLS session,” read the advisory.

In return, VUPEN’s research team collected $300,000 for the vulnerabilities affecting Adobe Reader, Adobe Flash, Mozilla Firefox and Internet Explorer.

Recent research has also revealed Internet Explorer bugs have reached an all-time high in in the first half of 2014 alone, doubling from the flaws found in the previous year.

“Internet Explorer was the most patched and also one of the most exploited products, surpassing Oracle Java, Adobe Flash and others in the fray,” read Bromium’s endpoint exploitation report (.PDF).

The security company noted that the Microsoft browser will most likely continue to be the “sweet spot for attackers.”